Credential Rotation
Definition
Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access.
How it works
Credentials can be systematically changed at predetermined intervals or based on specific events. Credentials such as user passwords may be rotated manually, but it is increasingly common to use an automated system to manage rotation of enterprise passwords, certificates and keys.
Considerations
- Rotation of credentials must be managed carefully to avoid inadvertent service interruption
- Management servers with enterprise policies for account management provide the ability to change or reset passwords for accounts. Some organizations rotate credentials periodically to limit the risk of stolen credentials.
- When responding to an incident, severity of compromise should be considered to determine what credentials to what accounts should be regenerated
- If proactively rotating credentials periodically, several factors should be considered to determine the frequency. Also introduces some risk including promoting the creation of weak passwords and poor storage practices for employees and presents challenges in proper tracking.
Technique Subclasses
There are 4 techniques in this category, Credential Rotation.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Credential Rotation | D3-CRO | Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access. | |
| - Certificate Rotation | D3-CERO | Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications. | |
| - Password Rotation | D3-PR | Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials. | |
| - One-time Password | D3-OTP | A one-time password is valid for only one user authentication. | OTP |
References
The following references were used to develop the Credential Rotation knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)